Difference between revisions of "Open ORCA Questions"

From PublicWiki
Jump to: navigation, search
(Organizational policy)
(General questions)
Line 2: Line 2:
  
  
 +
 +
I'll write up an email thursday based on responses I get from people. I have a blurb of an email outlined here, but more specific questions will be summarized from the list below. Please add to it, or send me an email at travis at cs.washington.edu.
 +
 +
=== Email ===
 +
 +
We are mainly computer science phd students and law school students, with a smattering of other disciplines and faculty, that are generally interested in the intersection of the law and technology. We have spent some 8 weeks discussing ORCA and what issues should be considered in order for a responsible and successful ORCA deployment to happen. We've been basing our discussions mainly on bits and pieces of data about ORCA that we've collected from the web, as well as other transit systems like it. We're hoping that you'll be able to help us understand the specifics of ORCA, policy-wise, legally, and technically. We also hope that this will be a first opportunity for us to be able to share with you our thoughts as stakeholders.
  
 
=== General questions ===
 
=== General questions ===
  
 +
* What is changing between this system and the old system? What do you gain (variable rates, more throughput)?
 
* What is the overall vision of ORCA in the future?
 
* What is the overall vision of ORCA in the future?
 
* What are the big hurdles you've encountered so far?
 
* What are the big hurdles you've encountered so far?
 
* What are the significant obstacles you see in the near and distant future?
 
* What are the significant obstacles you see in the near and distant future?
* What legal issues have come to the fore in making ORCA possible?
+
* What legal issues have come to the fore in making ORCA possible? Have the transit agencies been participating in developing the Washington electronic bill of rights?
 +
* How does ORCA differ from other ERG-contracted transit systems like Oyster, in terms of policy and technology?  
  
==== Organizational policy ====
+
==== Data management ====
  
 +
* I take a trip on the bus. From the time I swipe my card until the time I get off, what gets read from the card, where does the data go, and when does it get stored to a central database?
  
* How are they managed (organizationally, legally)
+
* What exactly is stored in the database? How long is the data kept? Is it aggregated or does it remain connected to personal data? Where is the data stored?
* Is there a citizens advisory board? How is compliance with the policies ensured?
 
  
 +
Data retention. We know it is held for a min of 90 days, but what's the max? What data are you collecting and why?
  
* Have the transit agencies been participating in developing the Washington electronic bill of rights?
+
* What data is stored on the card and what is stored in the database? Are the unique identifiers salted on the card?
  
 +
* What technology is used to transmit data from the RFID readers on the bus to the central database? Is it encrypted? Is it sent via wifi or physically transmitted via disk?
  
 +
* Who has access to what data? Are there any limits to who has access?
  
 +
==== Transit agency policy ====
  
What other applications are you planning on beyond transit? We know about the UW-Pass and Boeing, but who else? Who will you interoperate with?
+
* What are the key points of your privacy policy?
  
How does KC Metro currently handle law-enforcement information. Given that data (entrance/exit) data may be collected for min 90 days. you worried about an increase in requests (see uk)
+
* As a user of the ORCA card, what are the terms and conditions? What contract do I sign and when?
  
Who are the "partner participants"? What gets sent to third party? Is it aggregate or individual records? Can this data be sold? If so, in what formats?
+
* How does KC Metro currently handle requests for information by law-enforcement? Given that data (entrance/exit) data may be stored for a minimum of 90 days, are you worried about an increase in requests (e.g. as the Oyster card has seen)?
  
How are the boundaries of applications defined? Do you have plans to expand beyond transit. And if so, who do you classify as a third party and what data flows between these new applications? Who can issue new cards?
+
* Will there be options to opt-out of using an ORCA card while using public transit, or will these options be phased out over time?
  
what is your privacy policy? what are the five key points?
+
* Are there processes in place for fixing incorrect data?
  
What are my options to opt-out. Are these reasonable options?
+
* Will transit users be able to view data that has been collected about them?
  
Who gets sued when something goes wrong?
+
* Is there an audit trail that individuals and institutional partners can use to trace whom the data has been given out to (e.g. D.C. deployment)?
  
What are you changing between this system and the old system? What do you gain (variable rates, more throughput)? What do you see as the long term change.
+
* How does KC Metro view ownership of the transit data?
  
 +
* Is there a citizens advisory board? How is compliance with the policies ensured?
  
As a user of the system, what are the terms and conditions? What contract do I sign?
+
==== Institutional partners and third parties ====
  
Data
+
* How are they managed (organizationally, legally)
I take a trip on the bus. From the time I swipe my card till the time I get off, where does the data go, what does it get added, and when does it it disappear?
 
  
 +
* Are there other applications planned beyond transit, such as the use of ORCA cards as commercial debit cards? If so, how are the boundaries of applications defined? Who do you classify as a third party and what data flows between these new applications?
  
How long is the data kept and what form (aggregate) is it stored?
+
* What gets sent to third party? Is it aggregate or individual records? Can this data be sold? If so, in what formats? Who can issue new cards?
 
 
Who has access to what data and how?
 
Where is the data stored?
 
How does KC Metro view ownership of data?
 
How is it shared?
 
Is there an audit trail? Transparency builds trust.
 
Is there a way fix incorrect data?
 
 
 
Can I look at data about me (as opposed to my data).
 
 
 
What data is stored on the card and what is stored in the database? Are the unique identifiers salted on the card?
 
 
 
How does data get back to the central database? Is it sent in the clear? Via wifi? smoke signals?
 
 
 
Data retention. We know it is held for a min of 90 days, but what's the max? What data are you collecting and why?
 
 
 
If there are one-use cards, what are the issuers entitled to (data wise
 
  
Can we get access to an ORCA card/reader?
+
* Who will be the major initial institutional partners? We know about the UW-Husky card integration and Boeing, but are there others? How do you see these institutional partnerships growing in the future?
  
To Do
+
* Who will be authorized to sell/distribute one-use cards? What data will these card issuers be entitled to?
Who will be there?  
 
We are not n00bs...
 
Perhaps bring a lawyer and a technician
 

Revision as of 05:02, 10 May 2007

email to be sent to Kevin

I'll write up an email thursday based on responses I get from people. I have a blurb of an email outlined here, but more specific questions will be summarized from the list below. Please add to it, or send me an email at travis at cs.washington.edu.

Email

We are mainly computer science phd students and law school students, with a smattering of other disciplines and faculty, that are generally interested in the intersection of the law and technology. We have spent some 8 weeks discussing ORCA and what issues should be considered in order for a responsible and successful ORCA deployment to happen. We've been basing our discussions mainly on bits and pieces of data about ORCA that we've collected from the web, as well as other transit systems like it. We're hoping that you'll be able to help us understand the specifics of ORCA, policy-wise, legally, and technically. We also hope that this will be a first opportunity for us to be able to share with you our thoughts as stakeholders.

General questions

  • What is changing between this system and the old system? What do you gain (variable rates, more throughput)?
  • What is the overall vision of ORCA in the future?
  • What are the big hurdles you've encountered so far?
  • What are the significant obstacles you see in the near and distant future?
  • What legal issues have come to the fore in making ORCA possible? Have the transit agencies been participating in developing the Washington electronic bill of rights?
  • How does ORCA differ from other ERG-contracted transit systems like Oyster, in terms of policy and technology?

Data management

  • I take a trip on the bus. From the time I swipe my card until the time I get off, what gets read from the card, where does the data go, and when does it get stored to a central database?
  • What exactly is stored in the database? How long is the data kept? Is it aggregated or does it remain connected to personal data? Where is the data stored?

Data retention. We know it is held for a min of 90 days, but what's the max? What data are you collecting and why?

  • What data is stored on the card and what is stored in the database? Are the unique identifiers salted on the card?
  • What technology is used to transmit data from the RFID readers on the bus to the central database? Is it encrypted? Is it sent via wifi or physically transmitted via disk?
  • Who has access to what data? Are there any limits to who has access?

Transit agency policy

  • What are the key points of your privacy policy?
  • As a user of the ORCA card, what are the terms and conditions? What contract do I sign and when?
  • How does KC Metro currently handle requests for information by law-enforcement? Given that data (entrance/exit) data may be stored for a minimum of 90 days, are you worried about an increase in requests (e.g. as the Oyster card has seen)?
  • Will there be options to opt-out of using an ORCA card while using public transit, or will these options be phased out over time?
  • Are there processes in place for fixing incorrect data?
  • Will transit users be able to view data that has been collected about them?
  • Is there an audit trail that individuals and institutional partners can use to trace whom the data has been given out to (e.g. D.C. deployment)?
  • How does KC Metro view ownership of the transit data?
  • Is there a citizens advisory board? How is compliance with the policies ensured?

Institutional partners and third parties

  • How are they managed (organizationally, legally)
  • Are there other applications planned beyond transit, such as the use of ORCA cards as commercial debit cards? If so, how are the boundaries of applications defined? Who do you classify as a third party and what data flows between these new applications?
  • What gets sent to third party? Is it aggregate or individual records? Can this data be sold? If so, in what formats? Who can issue new cards?
  • Who will be the major initial institutional partners? We know about the UW-Husky card integration and Boeing, but are there others? How do you see these institutional partnerships growing in the future?
  • Who will be authorized to sell/distribute one-use cards? What data will these card issuers be entitled to?